You click, you lose: a practical look at VSCode's security
Thomas Chauchefoin & Paul Gerste - 6 months ago
Developers are becoming targets of choice for threat actors: by compromising a single developer, software backdoors and supply chain attacks can lead to the compromise of high-profile organisations. For instance, a recent campaign attributed to North Korea targeted prominent developers with malicious Visual Studio projects and browser exploits. At the same time, IDEs offer increasingly advanced features and deep integration in ecosystems, sometimes at the cost of basic security measures. They tried to counterbalance it by introducing new lines of defense (e.g., "Workspace Trust"), whose design led to a cat-and-mouse game to restrict access to sensitive attack surfaces while keeping most features available by default. In this talk, we present the state of the art of Visual Studio Code's security. We show its various attack surfaces and will demonstrate how they are impacted by real-world vulnerabilities. You will now think twice before opening third-party code in your IDE!